Paubox blog: HIPAA compliant email made easy

FAQs: HIPAA covered entities

Written by Liyanda Tembani | February 13, 2024

Under HIPAA, covered entities include health plans, healthcare providers who electronically transmit health information, and healthcare clearinghouses. Healthcare organizations can determine their status as covered entities by assessing whether they engage in electronic transactions involving individually identifiable health information. If an organization electronically conducts tasks like claims submissions, it is likely a covered entity and must comply with HIPAA regulations. 

Related: How to know if you’re a covered entity

 

Who is a HIPAA covered entity?

HIPAA covered entity is any organization or individual obligated to comply with the HIPAA Privacy Rule. This includes safeguarding protected health information (PHI) electronically used, transmitted, or maintained for healthcare services. Covered entities may encompass health plans, healthcare providers, and healthcare clearinghouses. 

 

Who falls under the category of health plans as HIPAA covered entities?

Entities falling within the health plans category include:

  • health insurance companies,
  • Health Maintenance Organizations (HMOs),
  • company health plans,
  • and government programs like Medicare and Medicaid.

This designation means that these organizations are bound by the regulations outlined in the HIPAA Privacy Rule and must adhere to specific standards for safeguarding PHI. 

 

I run a small practice without electronic systems. Am I subject to HIPAA?

When a small practice doesn't use electronic systems to transmit PHI in standard transactions, it may not fall under the designation of a HIPAA covered entity. While HIPAA coverage might not apply in this specific circumstance, there could still be obligations under state-specific patient confidentiality laws. Small practices should carefully assess their operations to determine their regulatory responsibilities and ensure compliance with applicable privacy regulations at both the federal and state levels.

 

What is a business associate and what are their obligations?

A business associate is a third-party company working with a covered entity, accessing PHI. They must have a written contract outlining specific responsibilities and ensuring PHI safeguarding, making them directly liable for certain HIPAA violations.

 

What is the Notice of Privacy Practices (NPP)?

Covered entities must provide their clients with a Notice of Privacy Practices (NPP). This document explains how covered entities use and disclose PHI. Additionally, the NPP outlines patients' privacy rights under HIPAA. The NPP promotes a stronger sense of trust and informed decision-making within the healthcare relationship by offering transparency about privacy practices.

 

Are there specific guidelines for PHI disposal to ensure compliance?

Certainly, covered entities must adhere to specific guidelines when disposing of PHI to maintain compliance with HIPAA regulations. For physical records, secure disposal methods like shredding are recommended. Covered entities must employ secure deletion methods for electronic PHI. 

 

How can covered entities enhance patient education on privacy practices?

Covered entities can enhance patient education on privacy practices by creating user-friendly materials that clearly articulate how patient information is handled. Additionally, conducting workshops and using digital platforms for informational outreach empowers patients with a deeper understanding of their rights and the security measures in place for their health information.

 

What steps should covered entities take in the event of a data breach?

In the unfortunate event of a data breach, covered entities must take swift and comprehensive action. This involves promptly notifying affected individuals, reporting the breach to the Office for Civil Rights (OCR), and implementing corrective measures to prevent future breaches. Having a well-defined breach response plan allows covered entities to effectively navigate and mitigate the impact of a security incident while maintaining compliance with HIPAA regulations.

 

Can covered entities use cloud services for storing and processing PHI?

Yes, covered entities can use cloud services for storing and processing PHI, but it requires careful consideration. They must ensure that the chosen cloud service provider complies with HIPAA regulations, implement proper encryption and access controls, and have a well-defined data management strategy. 

Related: The HIPAA compliant cloud services checklist 

 

How can covered entities balance patient access to PHI with security measures?

Covered entities should use HIPAA compliant email to share PHI with their patients and employ multi-factor authentication for access. Additionally, they must clearly communicate to patients the importance of safeguarding login credentials to ensure the accessibility and security of health information.